Nebulae

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

"ADVSTORESHELL is capable of starting a process using CreateProcess"; "build_downer has the ability to use the WinExec API"; "Aria-body has the ability to launch files using ShellExecute"

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

“DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files… actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe … has used legitimate names and locations for files to evade defenses.”

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

"Babuk can enumerate disk volumes, get disk information"; "Ryuk has called GetLogicalDrives ... and GetDriveTypeW"; "Cuba can enumerate local drives, disk type, and disk free space"; "Chimera ... fsutil fsinfo drives"

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.